Welcome to the #29 edition of Rust in Blockchain, the monthly newsletter about Rust, distributed systems, cryptography, and other industry topics. Previous: #28.
With total value locked (TVL) measurements going up, up, up across the blockchain world, Ethereum extremely congested, and liquidity providers fleeing to blockchains with high yields and low fees, there are huge efforts on many chains to get dapps out fast and attract market share. In the Rust world some notable developments:
- NEAR launched an $800 million ecosystem fund and has been quietly climbing up the DeFi TVL charts.
- Secret Network can now bridge to multiple chains and its SecretSwap has enough liquidity that it will soon be a viable route for discreetly moving assets between the burgeoning multi-chain ecosystem.
- The Internet Computer (previously DFINITY) has been cranking out blog posts, both about technical matters and partnerships. They are running a developer grants program.
- Nervos has launched their Force Bridge to connect to Ethereum, and is working to add EVM compatibility.
- Polkadot has been running a high-profile auction for parachain slots on its canary network, Kusama, and will soon begin auctions for the main Polkadot network. Some of the Kusama parachains, notably Moonriver, are already up and running and attracting EVM-compatible dapps like Sushi.
- Solana has turned into a bit of a juggernaut, with huge financial backing, and TVL only behind Ethereum and Binance Smart Chain. It has been attracting dapps and protocols that were previously EVM-only, like Lido and RenVM; but it also has a strong stable of its own Solana-native dapps.
In RiB news, this month we’ve added a “Security Advisories” section, summarizing all the Rust security advisories of the month from RustSec, and GitHub Advisories. Seeing them all in one place is revealing: lots of security-relevant bugs in crates used in, or created by, the blockchain industry.
This month, upon prompting, we added a Zcash donation address, and immediately received 3 donations. Thanks to the Zcash twitter community! RiB donations are 100% earmarked for supporting developers through event sponsorships, etc. The donation addresses can be found on the sidebar of the website.
RiB needs help to keep up with Rust blockchain projects. If you follow a particular project, or otherwise find information that is beneficial to the Rust & blockchain community, please contribute to the next issue by submitting a PR to the next draft.
Each month we like to shine a light on a notable Rust blockchain project. This month that project is…
Mina is a new blockchain network that uses zero-knowledge proofs to validate the state of the chain without access to a full blockchain, but instead only a tiny (~22k) proof. This should enable even mobile devices to participate in the network as full validators, requiring less trust than today’s situation where most clients are connecting to other peoples’ full nodes hosted in the cloud. They are calling this style of chain a “succinct blockchain”, and have caught the attention of a number of other projects, forming partnerships to bring the idea to other chains.
mina-rs is an implementation of Mina in Rust, developed by ChainSafe. It is developed not only with mobile environments in mind, but WASM too, which suggests we’ll be able to embed a full node directly in the browser.
Some recent information about Mina / mina-rs:
- Rising Tides: How the Mina Protocol can benefit Web 3.0
- Mina: Decentralized Cryptocurrency at Scale (whitepaper)
- 22kB-Sized Blockchain — A Technical Reference
- Mina Product Priorities & Mina Foundation Mission
- Rudra: Finding Memory Safety Bugs in Rust at the Ecosystem Scale
- Anatomy of a STARK
- FROST: Flexible Round-Optimized Schnorr Threshold Signatures
- Counter-Strike: Threshold Attack
- A Guide to AppliedZKP zkEVM Circuit Code
- Plumo: An Ultralight Blockchain Client
- Encryption to the Future: A Paradigm for Sending Secret Messages to Future (Anonymous) Committees
- On the security of ECDSA with additive key derivation and presignatures
- How to Prove Schnorr Assuming Schnorr: Security of Multi- and Threshold Signatures
- Shade Protocol is an array of connected privacy-preserving dApps built on Secret Network.
- RUSTSEC-2021-0120: Unsoundness in abomonation. abomonation transmutes &T to and from &[u8] without sufficient constraints.
- RUSTSEC-2021-0121: Unsoundness in crypto2. Non-aligned u32 read in Chacha20 encryption and decryption.
- CVE-2021-20319: coreos installer improperly verifies GPG signature when decompressing gzipped artifact. coreos-installer fails to correctly verify GPG signatures when decompressing gzip-compressed artifacts. This allows bypass of signature verification in cases where coreos-installer decompresses a downloaded OS image, allowing an attacker who can modify the OS image to compromise a newly-installed system.
- CVE-2020-26281: Async-h1 request smuggling possible with long unread bodies. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications.
- CVE-2021-41138: Validity check missing in Frontier. In the newly introduced signed Frontier-specific extrinsic for pallet-ethereum, a large part of transaction validation logic was only called in transaction pool validation, but not in block execution. Malicious validators can take advantage of this to put invalid transactions into a block.
- CVE-2021-41149: Improper sanitization of target names. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system.
- CVE-2021-41150: Improper sanitization of delegated role names. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system.
- CVE-2021-41153: Specification non-compliance in JUMPI. In evm crate < 0.31.0, JUMPI opcode’s condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check.
- GHSA-v935-pqmr-g8v9: Unexpected panics in num-bigint. Two scenarios were reported where BigInt and BigUint multiplication may unexpectedly panic.
Most Active in October
- Mina-rs Update: Some Rust serialization tricks with Serde
- ChainSafe launches Forest, the Rust Filecoin Client
- Gossamer: Into the Polkadot-verse Pt. 3
- Optimizing the Internet Computer Memory System’s Performance
- Secure Scalability: The Internet Computer’s Peer-to-Peer Layer
- Resumption: How Internet Computer Nodes Quickly Catch Up to the Blockchain’s Latest State
- Polkadot Is Ready for Parachain Launch, Auction Dates Proposed
- Polkadot Hackathons Are Going Global, Starting in Asia Pacific
- Secret Feature: Shade Protocol & Silk
- Altermail is LIVE on Mainnet!
- Secret Feature: SiennaSwap Launches on Mainnet!
Nov 11 - Dec 8 | Online
Nov 15-19 | Online
Nov 18-19 | Online
Dec 1-3 | Seoul, Korea
Dec 14-15 | Online
Jan 24-26, 2022 | Arrillaga Alumni Center, Stanford University
Feb 14-18, 2022 | Canada
Anoma | Berlin, Remote
- Senior Rust Engineer
- Rust P2P Networking Engineer
- Technical Engineering Manager
- Zero-Knowledge Cryptographer & Protocol Developer
- Distributed Systems Research Engineer
Aurora | Remote
NEAR | Remote
More jobs can be found at Job Board.
Want to be included in the next issue? Feel free to submit a PR to the #30 draft.
Join the discussion on RiB telegram group ❤️